Auth0 Home Blog Docs

Sign in With Apple - Access Token

After a successful login in which my Web App receives the TokenResponse - containing the access_token, expirations time, id_token, refresh_token, token_type - and sends the access token down to the client to make subsequent calls to my Web App, how do I validate the access token and the identity of the user? Should the access token be the Authorization Bearer token or should the identity_token be the Authorization Bearer token? Do the steps below make sense? or do I have something mixed up?

  1. When the user first signs in on the client, Apple ID server sends back the Client ID, Identity Token, Authorization Code
  2. Client app sends those 3 credentials to the Web API
  3. The Web API FIRST checks the validity of the Identity Token, NEXT, if verified, calls Apple ID servers ( to get the TokenResponse (contains access_token, expiration time, id_token, refresh_token, token_type)
  4. Web API stores the refresh_token on the DB
  5. Web API sends the the access_token to client.
  6. Client sends access_token on all subsequent calls to Web API

Hello, how are you?

As described in this doc page (, Identity Tokens are meant for application use only. So when securing your API you should send Access Token in the Authorization header.

So should validate the access token as described here (in Golang) for example:

Is the access token you received from Auth0 login a valid JWT? Did you check that?


Ezequiel Aceto

Appreciate the response but this is regarding the new Sign In With Apple API -

I noticed that auth0 created a few blog posts on Sign In With Apple and was hoping the auth0 team could provide some insight on my question above. But I think I figured it out. After the user is authenticated, the client app receives the credentials, sends the credentials to my server. My server will verify the identity_token provided by Apple’s server, I’ll have my server create a refresh token, send it down to the client and then the next time the client calls my server, I’ll verify the refresh token and then send down an access token.

I won’t do steps 4, 5, 6 and the TokenResponse step in 3.